High-End Gaming Devices Can Leak Personal Information

It's almost as though the criminal hackers will be soon able to read your mind. And new research suggests that maybe they will be able to do so. Personal information, such as “bank cards, PIN numbers, area of living, the knowledge of the known persons,” might be inadvertently leaked through the use of brain-computer interface (BCI) devices used in high-end gaming consoles.

The researchers Ivan Martinovic, Doug Davies, Mario Frank, Daniele Perito, Tomas Ross, and Dawn Song said they wanted to see what kind of simple attacks could reveal personal information. Their talk “On the Feasibility of Side-Channel Attacks with Brain-Computer Interfaces” was given in early August at the 3rd Usenix Workshop of Health Security and Privacy in Bellevue, Washington.

The authors point out that electroencephalography (EEG) is already becoming commonplace. It is used in neurofeedback therapy for attention deficit hyperactivity disorder (ADHD). It is used for epilepsy monitoring, and in diagnosing sleep disorders. It also has valid uses in studying sports and changes in alertness and drowsiness in drivers or the "mental workload of air-traffic control operators." So why not monitor the BCI responses of game players?

Using inexpensive EEG signals generated from Neurosky and Emotiv gaming devices, which sell for between $200 and $300, the researchers were able to detect which of the images shown related to the user’s private or secret information, like information related to credit cards, PIN numbers, the persons known to the user, or the user’s area of residence, etc.

How does this work? When participants in the study were asked to memorize a four-digit PIN and then shown a series of random numbers, the researchers observed EEG spikes that would later allow them to infer which random number was most likely the first digit in the PIN with about 30% accuracy on the first try. That might seem low, but compare that figure with wildly guessing the first digit. With EEG you have a one in three chance of guessing the first digit.

When guessing a password, clues such as the definition of the password—for example, it must include a capital letter, a symbol, and an alphanumeric value of more than 8 characters—are very helpful. It allows an attacker to configure software such as John the Ripper to narrow the search. A narrowed search yields much faster results.

Researcher Dawn Song told Forbes.com the potential attack would be rather easy to pull off. “In this threat model, the attacker doesn’t need to compromise anything. He simply embeds the attack in an app, such as a game using [brain-machine interface] that the user downloads and plays. In this case, the malicious game designs and knows the visual stimuli the user is looking at and also gets the brain signal reading at the same time.”

The study's authors point out that Microsoft’s Xbox 360, Nintendo’s Wii, or Sony’s Playstation3 already include sensors to infer user’s behavioral and physiological states. They do so by measuring hand pressure, heartbeat, facial and voice recognition, "gazetracking," and motion. In time these, too, may have a statistical correlation with the user's personal data.

The problem, then, is biometrics. Since we can't change our minds and bodies respond to certain stimuli, maybe we should change how out gadgets interpret these responses. Unfortunately there are no easy answers here, but this is certainly something to consider going forward.

Robert Vamosi, CISSP, an award-winning journalist and analyst who has been covering digital security issues for more than a decade, is a senior analyst for Mocana, a device security start up. He is also the author of When Gadgets Betray Us and a contributing editor at PCWorld, a blogger at Forbes.com, and a former Senior Editor at CNET. He lives in Northern California.